License Compliance widget link on MR from forked project leads to 404

Summary

The License Compliance widget from SASTBot: Monthly dependency updates for 17.6 (gitlab-org/security-products/analyzers/sobelow!129 - merged) • Adam Cohen • 17.6 shows the following:

Clicking on the Used by 1 package link https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/pipelines/1535121570/licenses results in a 404:

The correct link should include the forked project namespace: https://gitlab.com/gitlab-org/security-products/analyzers/sast-bot/sobelow-forked/-/pipelines/1535121570/license.

Steps to reproduce

1. Fork a project, such as https://gitlab.com/gitlab-org/security-products/analyzers/sobelow

2. Add a package with a new license, such as uniuri which uses Creative Commons Zero v1.0 Universal:

   Click to expand

   diff --git a/main.go b/main.go
   index 0c386ab..b27301f 100644
   --- a/main.go
   +++ b/main.go
   @@ -3,6 +3,7 @@ package main
    import (
           "os"
   
   +       "github.com/dchest/uniuri"
           log "github.com/sirupsen/logrus"
   
           "gitlab.com/gitlab-org/security-products/analyzers/command/v3"
   @@ -25,6 +26,8 @@ func main() {
                   LoadRulesetConfig: loadRulesetConfig,
           })
   
   +       uniuri.New()
   +
           if err := app.Run(os.Args); err != nil {
                   log.Fatal(err)
           }

3. Run a pipeline and view the License Compliance widget in the MR, for example Draft: Add package with new license DO NOT MERGE (gitlab-org/security-products/analyzers/sobelow!130) • Adam Cohen:

   

4. Click on the Used by 1 package link, notice it takes you to a 404 https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/pipelines/1536236177/licenses, while it should take you to the forked-project URL https://gitlab.com/adamcohen/sobelow/-/pipelines/1536236177/licenses.

Example Project

• SASTBot: Monthly dependency updates for 17.6 (gitlab-org/security-products/analyzers/sobelow!129 - merged) • Adam Cohen • 17.6
• Draft: Add package with new license DO NOT MERGE (gitlab-org/security-products/analyzers/sobelow!130) • Adam Cohen

What is the current bug behavior?

The Used by 1 package link returns a 404.

What is the expected correct behavior?

The Used by 1 package link should return a 200 and direct us to a valid page.

Possible fixes

Update rails backend code to detect whether the MR was created by a forked project when generating links.

/cc @tkopel @johncrowley